EJBCA 7.8.0 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 7.7.0 to EJBCA 7.8.0.

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA . For details of the new features and improvements in this release, see the EJBCA 7.8.0 Release Notes.

Upgrade Actions

AUD Claim needs to be set for OAuth Providers prior to Post-Upgrade

Upon performing the upgrade to EJBCA 7.8.0, a new field will be added to each defined OAuth provider defining an Audience claim. Post-upgrade will refuse to run until this field has been filled in for all defined OAuth providers.

images/download/attachments/132449332/Screenshot_2021-09-23_at_17.19.33.png

Checking the aud claim for all OAuth authenticated users will commence after post-upgrade has been run. If no OAuth providers have been defined, then this step can be disregarded.

Behavioral Changes

ACME Certificate Enrollment

End entity profiles used for ACME certificate enrollment must have the Batch generation (clear text pwd storage) option enabled. For more information, see End Entity Profile Configuration in ACME.

Database Changes

Table added to tracking aborted issuance operations

A new table, IncompleteIssuanceJournalData, has been added to track failed or aborted certificate issuance operations when Certificate Transparency is being used.

Just like other tables, this table is by default created on startup.

Table definitions are available in doc/sql-scripts/create-tables-ejbca-*.sql

Important Notes

Improving Reliability of Direct Publishing

This section is only relevant when using direct publishing.

A new option, Use safe direct publishing, has been added to Publishers. With this option enabled, EJBCA will temporarily write certificates to the publisher queue even if direct publishing is enabled, so publishing can resume in case the transaction fails.

Additionally, this option makes the issuance operation finish just before direct publishing happens, instead of after.

It is recommended to enable the Use safe direct publishing option for publishers, where direct publishing is used, and maximum reliability is required. For some high volume PKIs this may lead to a slight performance drop.

Improving Reliability of Certificate Transparency Submission

This section is only relevant when using Certificate Transparency timestamps (SCTs) in certificates.

As of EJBCA 7.8.0, EJBCA keeps a journal (in IncompleteIssuanceJournalData) of pre-certificates, so they can be revoked if an outage occurs after pre-certificate generation, but before the final certificate generation has finished.

A new type of Service has been added, Pre-Certificate Revocation Service, which revokes pre-certificates after a defined amount of time (by default 30 minutes), if the issuance operation has not finished.

It is recommended to add the Pre-Certificate Revocation Service if Certificate Transparency timestamps are used in certificates.